Dofoil: Crypto-mining Malware Outbreak Infects 500,000 Computers in One Day

Microsoft experts were able to halt a massive cryptocurrency-mining malware outbreak this week, an attack that spread to roughly 500,000 computers in a single day.

Engineers at the firm’s Window Defender research department revealed in a report Wednesday that on March 6 its anti-virus system detected “several sophisticated trojans” spreading rapidly across Russia, Turkey and Ukraine.

The malware, the team found, was a new variant of “Dofoil,” also dubbed “Smoke Loader” by some cyber researchers, carrying a “coin miner payload.” Upon infection, it could use a computer’s CPU power to make digital cash.

According to Microsoft, it was able to recognize the issue within milliseconds by using its in-house behavior monitoring and machine learning techniques.

The malware was seemingly designed to create a coin known as Electroneum. The team said that the Dofoil Trojan is able to connect to a hacker’s command and control (C&C) sever and listen for fresh commands, including the installation of additional malware. Analysts say the strain has existed since at least 2011, when it was first discovered for sale in an early state on an underground marketplace.

The most recent Dofoil campaign, researchers explained, was able to replace legitimate Microsoft Windows Explorer code with the covert malware.

They said criminals are increasingly using coin miners over ransomware, which is a form of attack that locks down files and demands money for their return.

“Because the value of bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” the blog post said. “Exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.”

Bitcoin coins placed on dollar banknotes, next to a computer keyboard, are seen in this illustration picture, November 6, 2017. REUTERS/Dado Ruvic

While Dofoil/Smoke Loader has been used in nefarious hacking operations for almost a decade, it recently made headlines after Malwarebytes, a cybersecurity firm, discovered it was posing as a patch for Spectre and Meltdown, two major flaws that exist in nearly every computer processor on the market.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns,” Malwarebytes wrote in an advisory. “This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.”

"It’s not a kid in a basement"

Security researcher Kevin Beaumont said in a series of Twitter updates on Wednesday that the true extent of global infections was likely larger in scope than reported by Microsoft. This was because the U.S tech company was only able to see those detected by its own anti-virus software.

‏”Had that been ransomware this would have been a major, media breaking incident,” he wrote. “However due to coin mining it will push this to the bottom of board room piles. It shouldn’t be, but that’s current shift.

"SmokeLoader usage allows any payload targeted to different assets. Custom coin miner…is different to almost everything else. Distributed to six figures of systems with no infosec traffic [until] now. It’s not a kid in a basement.”

The culprits behind the latest hacking scheme remain unknown. Microsoft did not immediately respond to a request for comment.